Operating an apache 2.4.7 server on Ubuntu 14.04 LTS, I am having an issue with a configuration setup to "Restrict File Extensions," as recommended by Center for Internet Security (CIS). The basic idea is (1) restrict all files then (2) allow access only to file types to be served.
The MAIN_APACHE2.conf file includes, in relevant part, the following:
<Directory />
Require all denied
AllowOverride None
Options None
<LimitExcept GET HEAD OPTIONS>
Require all denied
</LimitExcept>
</Directory>
<FilesMatch "^.*$">
Require all denied
</FilesMatch>
The included V_HOST.conf file includes, in relevant part, the following:
DocumentRoot /var/www/html
<Directory /var/www/html>
Require all granted
<FilesMatch "^.*\.(htm)$">
Require all granted
</FilesMatch>
</Directory>
The only file on the server is an entirely self-contained test file "index.htm" located in the vHost Document root. Attempting to hit the server with this configuration results in a 403 Error. Thinking that this issue might be a question of how the FilesMatch merges, especially with the vHost set up and the nested Directory directive, I substituted the following in the V_HOST.conf file:
<Directory /var/www/html>
Require all granted
<FilesMatch "^.*$">
Require all granted
</FilesMatch>
</Directory>
Somewhat to my surprise, this works! So ... what am I missing? Is this a problem with the regular expression? Am I missing some "other" file that the Apache server needs to be able to read? I have tried any number of other expressions, have attempted with ALL of the FilesMatch in the MAIN_APACHE2.conf (outside of the Directory directive) and at this point am just stuck!
Any pointers here are greatly appreciated. Of course, if I should be on Stack Overflow or somewhere else with this please let me know.